Harvest's 'IT Security Matters' Blog

1 July 2011

The UK's Information Commissioner, Christopher Graham, has warned the National Health Service to get its act together, saying that "the security of data remains a systemic problem." He added: "Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number. The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn’t be a day-to-day burden if effective measures are built in and then become second nature. My office is working with Connecting for Health to identify how we can support the health service to tackle these issues."

Well, one way would be for the NHS to provide adequate and on-going Information Security Awareness Training - just like the kind we provide :)

Just a thought.

20 May 2011

It's got to be deeply unpleasant to be working for Sony right now, especially if you're in any way responsible for IT security. For yes, you've guessed it, another Sony site has been compromised by hackers. This time Sony hasn't had details of its customers stolen, but the hackers have been using a Sony web server to host a phishing site, in this particular case designed to get customers of an Italian Credit Card company to give away their usernames and passwords.

The Sony top brass must be wringing their hands with frustration while they wait to see how much other awfulness is going to come creeping out of the woodwork. And on top of that, they still haven't been able to get their hacked online gaming network back online, meaning that their die-hard fans are probably considering jumping ship to the X-box camp by now - great news for Microsoft, more bad news for Sony. But then, if you deprive a gaming addict of his or her daily fix, you've got to expect them to look elsewhere, regardless of how much they love the game that they can only play on your network...Read More

14 May 2011

According to Bllomberg, the hackers that broke into Sony's network used Amazon's cloud server service, EC2, to launch the attack. Forecast? Cloudy with a hint of hacking...Read More

10 May 2011

The UK's Information Commissioner has fined Andrew Jonathan Crossley, former head of legal firm ACS Law, £1,000 for allowing sensitive personal information on over 6,000 people to be exposed on the Internet. The information included individuals’ ISP account details, names and addresses, IP addresses and information about the content they were alleged to have illegally copied. Some of the emails also included people’s credit card details, as well as references to their sex life, health and financial status.

This exposure came about as a consequence of a Distributed Denial of Service attack on his firm last September.

The firm specialised in threatening to sue people for alleged net piracy, then asking them to pay compensation of about £500 per infringement or face court action. It seems likely that users of the message-board 4chan attacked ACS's site in retaliation for its activities. It certainly got results - the attack and the subsequent disclosure of personal data rapidly put the firm out of business.

Christopher Graham, the Information Commissioner said in a statement: "The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details. As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach." Ouch.

It seems to me that one of the morals of this story is that if you are going to do something that might make your organisation unpopular with the hacking fraternity, you had better make certain you have very good IT security in place...Read More

4 May 2011

The New York Attorney General has now subpoenaed Sony requesting that it explain how it protects customers' personal information. Sony's response should make interesting reading, to put it mildly...Read More

4 May 2011

NHS Barnet has admitted to a huge number of breaches of data security, with a truly staggering 187 incidents over a 3 year period. Other NHS trusts have performed badly as well, making the UK's National Health Service bay far the worst culprit in the UK for Data Leakage Incidents of any kind...Read More

3 May 2011

Sony has now admitted that a separate network, the Sony Online Entertainment, used by PC games players has also been hacked, adding a further 24.6 million customers to the already mammoth number. That takes the total of customers affected to over 100 million people. This is going to take a monumental amount of cash and effort to clean up the mess. But the good news is that it looks like at least some of the credit card details exposed in both hacks were encrypted. So that's alright then ;) ...Read More

27 April 2011

Sony's PlayStation Network (PSN) has been hacked, the network that allows PlayStation owners to play each other across the Internet. Details of the hack are still a little sketchy, as, perhaps understandably, Sony are playing their cards close to their chest. However, it is now apparent that the hack has obtained the Name, Address, Country, Date of Birth, PlayStation Network/Qriocity password and login, and handle/PSN online ID. And quite possibly the credit card details of 77 million people worldwide. Yes, you read it right -- seventy-seven million!

Oh, and the hacker may have also obtained the PSN users' purchase history, billing address, and password security questions.

Round here in Harvest Towers we call that a monumental Data Leakage Incident. I mean, it's just huge. An incident of this magnitude affecting so many people is surely going to make everyone sit up and start to take notice of digital security. Isn't it?

I'm willing to take bets that when (if?) the details emerge, at the heart of the hack will be a combination of lax controls, social engineering of - possibly junior or new - staff and insufficient training - probably of everyone working at PSN. And here and now I'm publicly offering Sony our Information Security Awareness Training for all of their staff - at half price.

I normally put a link to an authoritative website when I write about hacks like this, but this time I'm not going to bother - just Google it yourself and you'll easily find hundreds of thousands of news sites covering this story.

Instead, I recommend you have a look at this advice* and this* on how to avoid Identity Theft, a crime which all of the 77 million PSN customers are now more likely to become victims of. And to the advice from those sites I would add that you should read your bank statements and credit card statements very carefully, line by line. Report any transactions that you don't recognise straight away to the card issuer, as it may help them to track and catch the criminals involved. It may also save you a ton of money and inconvenience.

18 April 2011

The UK's Ministry of Defence has managed to reveal sensitive military information online through what it described as a "technical error", but in reality it was incompetence, pure and simple. A PDF document was posted online, with sensitive parts blacked out merely by turning the text background around the sensitive parts black. But the text that was supposed to have been redacted was left in place, meaning that anyone could just copy that text and paste it elsewhere to read it in full. By way of a blatant plug, we include prevention of mistakes like this in our training!....Read More

12 April 2011

In Austin, Texas, there has been a Data Leakage Incident in the Texas comptroller’s office. The incident involved the exposure of Social Security numbers, birth dates and other personal information belonging to 3.5 million people. Around 1.2 million were education employees and retirees, 2 million were in Texas Workforce Commission records, and 281,000 came from Employees Retirement System of Texas data covering state employees and retirees. And they were placed on a publicly accessible server, and not encrypted.

Every single one of these 3.5 million people could now become the victim of identity theft and impersonation-type hacks...Read More

05 April 2011

The City of York Council in the UK has been found in breach of the Data Protection Act after mailing documents containing personal data to an unrelated third party. Yet again, a totally avoidable human lapse - that our training could well have prevented...Read More

05 April 2011

Epsilon, a US e-mail marketing firm responsible for the e-mail marketing campaigns of many huge businesses from around the world has been hacked at the end of March. The e-mail addresses of a so-far undisclosed number of individuals who are customers of Epsilon's client firms have been compromised. Given that Epsilon send around 40 billion legitimate e-mails a year on behalf of their clients and that they have acknowledged that roughly 2% of their client base has been compromised, I'd say it is highly likely that the number of individuals now under threat is numbered in the millions - possibly the tens of millions.

These people are at high risk of receiving highly targeted spam e-mails purporting to come from the companies that engaged Epsilon to do their marketing. The companies so far known to be affected by this breach include some household names, including major banks:

AbeBooks

Ameriprise Financial

Barclays Bank

Best Buy

Brookstone

Citibank

Disney Destinations

Hilton Worldwide

JP Morgan Chase

Kroger

Lacoste

Marriott International

McKinsey Quarterly

New York & Company

Robert Half

Target

Tivo

US Bank

Walgreens

So, if you're a customer of any of these companies you should exercise particular vigilance right now in relation to any e-mails you receive from them...Read More

04 April 2011

RSA, the security division of EMC, was itself hacked last month. Quite how RSA will ever recover their industry-leading reputation is beyond me, because quite simply they fell for some pretty unsophisticated tactics. These included a spear phishing attack on low-level employees, followed up by the exploitation of unpatched vulnerabilities in Adobe Flash. This gave the attackers full access to the compromised machine, which they proceeded to use to elevate the privileges of the logged on user up to Domain Admin - and voila, network owned.

From there to stealing the data they were after, relating to some of RSA's security products, was just a few short steps. And RSA were not even following the tactics that they advise their own clients to use. A statement with a photo of their smiling chairman says essentially 'don't panic, move along, nothing to see here'. But the smile looks strained and the body language says "my days here are numbered." Quite. With all their expensive technical system defences and expertise in information security, they were still hacked. Yet some of our (inexpensive!) training could have stopped this exploit from ever happening...Read More

30 March 2011

A BP employee has lost a laptop computer containing the personal details of 13,000 Louisiana oil spill victims. The laptop's hard disk was not encrypted, although BP did stress that the data was protected by a password. Unfortunately, password protecting an unencrypted disk is useless as a security measure - all an attacker has to do to get at the data on the hard disk is take it out of that laptop, put it in a cheap (£5.99, or less than $10) USB disk caddy and then access the contents of the laptop's hard disk using any other PC or laptop they wish. That's more bad publicity that BP could have done without, not to mention the cost of dealing with the incident...Read More

23 March 2011

Panda Security has released a study which shows that 63% of US schools are suffering at least two Information Security Breaches a year. That's an awful lot of potential data theft or just wasted resources...Read More

23 March 2011

Leicester City Council has managed to lose a USB stick with some very sensitive data on it - personal details of 4,000 elderly and vulnerable people, along with 2,000 door access codes. The sort of codes that allow care workers to enter the house of someone who is unable to answer the door easily - and therefore particularly vulnerable. There is no mention of the stick being encrypted, so let's assume it isn't. Nasty...Read More

*** Update 11/04/2011*** They've found it - it was never lost at all. But they might still be fined by the ICO, and they've still inconvenienced hundreds of people and wasted thousands of pounds changing locks unnecessarily. Watch this space...Read More

22 March 2011

A study by CPP shows that people are being careless with their personal data when selling used phones on e-Bay. Actually, careless doesn't come close. We're talking about credit and debit card pin numbers, bank account details, phone numbers and login details to Facebook and Twitter. So here's some advice for you, if you're thinking of selling a used phone: destroy the SIM, and delete the files on any storage, removable or otherwise, by using overwriting software. Otherwise you're begging to become the victim of identity theft, or having your bank account emptied...Read More

22 March 2011

Massive online retailer Play.com has been hacked, potentially exposing millions of customers' personal information, including credit card details. The facts of the breach have yet to be released, so we - along with the rest of their customers - await further particulars...Read More

17 March 2011

The City of Cleveland has caused 10 applicants for the role of municipal court judge to question the wisdom of applying, after copies of their application forms were found thrown into a public recycling dumpster in Cleveland. As you would expect, the job applications contained detailed personal information, including Social Security and driver’s license numbers, their home address, references, a job history, their educational details and phone numbers, as well as each applicant’s signature. In short, these forms would have been like striking gold to anyone intent on carrying out some identity theft or related crimes, especially as these are all likely to be high net worth individuals...Read More

16 March 2011

The US health insurer Health Net has lost several hard disks from a server in a data centre move. Well, actually IBM lost them on their behalf, but the effect will be the same. The disks were unencrypted, of course - I mean, who would think you'd need to encrypt disks inside a server? That's another question for another day. They had on them the sort of data that would give any company boss nightmares if they lost it, and Health Net was forced to say in a statement that "personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information." Ouch.

This is not a first offence for Health Net, as they lost personal data on 1.5 million customers in a similar data loss incident in 2009. This time the costs of cleanup will doubtless be greater, and the penalties will certainly reflect the fact that they are repeat offenders. Estimates place the likely total cost to the company of this breach at as much as $655 million - yes, you read that right!...Read More

16 March 2011

The University of York has managed to expose personal information on 17,000 students and their family members to the world at large, due to poor web site practices. Oops...Read More

9 March 2011

We've been predicting that smartphones were an accident waiting to happen in terms of letting your employees use them for business purposes for over a year now, but we can't say we're feeling smug now that the first major hack of phones has taken place. Just sad.

Yesterday Google confessed that around 260,000 Android smartphones have been hacked, after the owners downloaded apps infected with malware from Google's Android Market. At least 50 infected apps have been withdrawn, and Google had to remotely remove all of the affected apps from peoples’ phones. Here's hoping that no businesses lost data in the process...Read More

4 March 2011

Microsoft have announced yet another campaign aimed at getting people to stop using the ancient and decidedly insecure Internet Explorer 6. I hope no-one reading this blog is guilty of that heinous crime, but just in case you might know someone who is still in the computing stone age, see if you can persuade them of the folly of their ways. Oh, and get them to stop using Windows ME as well, while you're at it. You know it makes sense.

2 March 2011

Google's Android phones have been targeted by malware authors, and the cunning part was they created them disguised as free apps on the Android Market. Got an App for that? Yes, Google had to intervene and remotely remove the malicious code from affected handsets. Maybe Apple have a point with their very zealously protected App Store...Read More

1 March 2011

Over 17,000 USB sticks have been left at dry cleaners and launderettes in 2010. If you're a business owner, or an executive in any organisation, that shocking statistic should be sending chills down your spine. Your people need training to raise their awareness of these issues, so that your organisation doesn't appear on this list. Or, worse still, the ICO's list. To make sure your employees don't make such elementary errors, e-mail us now.

23 February 2011

Cambridgeshire County Council has had its knuckles rapped by the ICO after an employee ignored their "Encrypted USB Sticks Only" rule, apparently after having problems using the encrypted ones. And then lost an unencrypted USB stick. If ever there was a clear case made for ongoing and continuous Information Security Awareness Training this is it. Oh, and perhaps a sacking to really send the message to everyone that when they say "encrypted only" they mean it.

In the meantime at least 6 vulnerable adults have had their personal details lost...Read More

18 February 2011

The UK Government has released a study* which estimates that Cyber Crime is now costing the UK economy £27 billion a year!

Of this, £21 billion is estimated to be the cost to business, including:

£9.2 billion from theft of intellectual property

£7.6 billion from industrial espionage

£2.2 billion from Extortion against UK companies

£1 billion for the loss of customer data

Around £2.2 billion is fraud against the government itself, while cyberfraud against ordinary citizens amounts to around £3.1 billion in total, including:

£1.7 billion from identity theft

£1.4 billion from online scams

Fake anti-virus scams alone account for £30 million ripped off from UK citizens.

And this is just the money that has been lost. Would anyone care to put an estimate on the cost of all the working hours lost due to people surfing the net when they should be working, or playing CityVille or Bejewelled Blitz? Or shopping on eBay or Amazon, or Tesco? Or playing Spider Solitaire? Or downloading copyrighted material illegally?

It's time for pro-active measures to stop these losses, all of them.

* pdf reader required

10 February 2011

A library in Wilmslow in Cheshire has discovered Key Loggers attached to public access computers...Read More

9 February 2011

A recruitment website in the Irish Republic, RecruitIreland.com, has been hacked, exposing the names and e-mail addresses of 400,000 of their customers. That's a lot of unhappy people...Read More

8 February 2011

The Information Commissioner has fined two more organisations, both local councils, for losing personal data on some of their citizens. In both cases the data was held on password protected but unencrypted laptops stolen from an employee's home. Ealing Council was fined £80,000 and Hounslow Council was fined £70,000. Ealing council lost the details of roughly 1,000 people, while Hounslow Council lost information on approximately 700 people. The office of the Information Commissioner is, once again, making the point that having unencrypted personal data exposed to the risk of loss in this way is simply unacceptable.

2 February 2011

The UK's Ministry of Defence has responded to a Freedom of Information request, revealing that in 2010, 12 computers were lost, with 9 more stolen, 45 laptops were lost with 76 more stolen, and 47 USB memory sticks were lost while 3 more were stolen. Oh, and they added to this shocking admission that these figures did not include incidents currently being investigated!

I sleep easier in my bed at night knowing that our gallant lads and lasses of the MoD are there to protect us. I just wish they'd protect their data better...Read More

1 February 2011

Apart from the big news that Egypt's government has 'switched off' the Internet to its citizens to try and quell the unrest in the country (and good luck with that, because unless they have developed a way of blocking satellite and mobile phone signals then their Internet-savvy citizens are going to be online anyway), the world's largest free dating site has been hacked. Yes, PlentyOfFish has been penetrated (if you'll excuse the term!), and the e-mails, user names and passwords of 30 million people have been compromised. And that's 30 million people that may be more than a little miffed that the fact that they're even a member of a dating site is now 'out there'...Read More

26 January 2011

Mobile network operator O2 has announced it will be offering free wi-fi Internet access across the UK, through a network of hotspots. The service will be free to use, including to non-O2 customers. Sounds great, but without wishing to be a wet blanket or party pooper, I'd like to sound a large note of caution. Free wi-fi Internet access means that everyone and their uncle will be able to access it, and some of the people that will be encouraged to crawl out of the woodwork to use this service will be the sort who don't want their network session easily traceable. They might be surfing for illegal varieties of porn, they might be arranging or researching terrorist attacks, or they might be quietly attempting to hack everyone else's computer that is using the service. So be careful out there...Read More

21 January 2011

Retailer of cosmetics Lush.co.uk has been forced to take down its website after an attack led to customers' credit card details being hacked. All online orders placed between 4th October 2010 and 20th January 2011 are potentially affected, and many of the stolen credit card details have already been used to pay for transactions. In one reported case alone, nearly £6,000 has been stolen already. The company has not disclosed how many people have been affected by this hack, but it is likely to be in the thousands...Read More

21 January 2011

Users of website Trapster.com have been warned to change their passwords if they use the same password on other websites (not a great idea, but most people do this). The site was breached and around 10 million users' e-mail addresses and passwords are now compromised...Read More

19 January 2011

The latest annual threat report from Sophos has been released, and it contains some grim reading. For example, the huge numbers of users on FaceBook (over 500 million souls and rising), many of whom are relatively inexperienced Internet users, is attracting the attention of scammers and cyber criminals. The number of scams, cons, hack and hijacks attempts that are targeted at the users of social networks is enormous, and growing constantly. In a poll of FaceBook users that Sophos conducted, 67% had received Spam messages of one form or another, 43% had experienced a phishing attack, and 40% had received malware of some form. It's a feeding frenzy - be careful out there...Read More

18 January 2011

Symantec have released figures showing that "off the shelf" attack kits are now being traded between criminals and are being used in over 50% of attacks. The days when an attacker had to be an expert programmer are now officially over, as long as you can afford the fee to use an attack kit. For example, according to their report, renting the 'Zeus' kit will set you back a cool $8,000. But when the return on investment can be in the millions, this is chicken feed...Read More

18 January 2011

A doctor from Hull and East Yorkshire Hospitals NHS Trust broke their information Security policy by e-mailing data on 1,000 patients to himself and storing it on an unencrypted laptop - which was then stolen from his home. The data included patients names, dates of birth and hospital treatment...Read More

13 January 2011

US Internet Security company KnowBe4.com has disclosed the results of a free security audit it ran recently for a customer. They tested the information security awareness of the customer company's staff by sending a simulated phishing attack e-mail to that company's employees - and 21% of them treated it as a genuine message. How scary is that!...Read More

04 January 2011

Here's a potentially game-changing piece of news - Firefox has overtaken Internet Explorer to become the most widely used browser in Europe. In December, Firefox took 38.11% of European market share, compared to IE's 37.52%. Google's Chrome browser is possibly the reason why, as IE is losing market share to Chrome, while Firefox usage has stayed fairly constant. What are the implications for your organisation's security? Well, for my money, while your organisation could think about changing its standard PC browser to Firefox, the growing popularity of Firefox might well mean that it will become more of a target for malware authors. With its IE browser series, Microsoft may not have all the answers, but with Auto Update and Patch Tuesday they are getting more things right than some of their competition. IE9 is due for release soon (no date given by Microsoft yet), so it will be interesting to see how that affects the browser wars...Read More